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(U) What is a VPN?

‘ (U) A Virtual Private Network or VPN is a
computer network that uses encryption to
securely connect remote users/networks over
an otherwise insecure network, usually the
public internet.

- (U) Common Types:
a PPTP, IPSec, SSL

- (U) Public Key Encryption
a Diffie-Hellman, RSA

 

 

 

(U) PPTP

' (U) Microsoft Point—to—Point Tunneling
Protocol

- (U) Control Channel
D TCP port 1723
- (U) Data Channel
D GRE-Next Protocol 47
' (U) RFC 2637, RFC 3078

 

 

 

(U)|PSec

- (U) Authentication
a Pre-shared key (PSK) or Public key certificates

- (U) lSAKMP/IKE packets are used for key exchange
and to establish the secure connection

a UDP port 500, 4500; TCP port 500
- (U) ESP packets contain the encrypted data
a lP Next Protocol 50; UDP port 500
- (U) RFC2402, RFC2406, RFC2409, RFC4306, RFC2408

 

 

 

(U) IPSec in a nutshell

 

 

 

 

 

 

 

 

 

 

(U) SSL/TLS

- (U) Secure Sockets Layer/Transport Layer
Securﬁy

- (U) WARNING! e-commerce = tons of
uninteresting SSL traffic

- (U) Common ports: TCP ports 443, 995

' (U) RFC2246, RFC4346, RFC5246

 

(U) SSL in a nutshell
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Subject
Validity
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(U) SSL Exchange

1. Client connects to server
2. Server sends cert to client
3. Client validates cert

4. Key exchange

5. Pass encrypted material

   
    
   

 

 

 

 

 

(TS/lSI/REL) Who works VPNs?

' (TS/lSI/lREL) VPN Workini Groui iio vpn)

a 52, 556, CES (OTTERCREEK, NSP, 531322, S3117,
S3112), TAO, etc.

' (TS/ISWREL) Alias=—
(Board alias=—)

' (TS/lSlllREL) Meets every other Thursday at 1300

 

-——l||

 

 

(TS//S|/REL) Who works VPNs?

> “92,2:32'me' I

' 83117 + 83142
' OTTERCREEK
' NSP
'8313
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- 82 (if tasking needed)
- 83112

- TAO

- OTTERCREEK

 

 

 

 

(TS//S|//REL) So you think your
target is using a VPN...

 

(TS//S|//REL) SigDev Tools

 

 

 

 

 

 

 

(TS/IREL) VPN Specific (TS/IREL) Also useful
. W - MARINA
.  - MASTERSHAKE
- NKB
° TOYGRIPPE - PINWALE
- RENOIR
- TREASUREMAP
- TUNINGFORK

- XKEYSCORE

 

(TS//S|//REL) TOYGRIPPE

- (TS/lSI/lREL) Database of VPN metadata
D IPSeC, PPTP, ViPNet
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lDisplay Fields:

 

 

 

IData Fields: .—
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I] Case Notation

Sites

 

El Selected Sites

Sources

   
  

I] VendurNime
I] Source CIDR
D r‘

I:

 

'I
.C 5 ate 0
Site
_,.x=~ Type

Gen Source Country
Source I3 Address
Destinator IPAddreii

Gen Destination Country!
IFSEC AUIHEHIICSIIUI’I Name

 

 

 =ie|d|ntnrmetior I
* Tlmestan'p: The tln'estamp of

the traffic as provided lay the
source (dtTme, timestamp)

 

 

 

CIDR [—
I] Suurze Company
a   l:
I] Source Country

 

 

 

Save 35 UEFBUIT CIEBI’ R9391 t0 DEFEUI',

 

 

 

 

I] Dest. Country I

IIP Addresses(Ranges and Wildcards Accepted]:
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:1

Query data field: based o1 constraints

I] Deal. Domiin

I] Into Marne

 

Source IP Addresses

 

 

 

 

Save Standard Query:

Descnptlm

 

 

 

Deellnalon IP Addre$es

 

Source lP Poﬂsl:]
CIEBI’ AGJFQSEQE FIIE

CU'IS'I'EII‘I I'ESLIISIU SUJI’CE

 

 

)eellnalon lP Ponsl:]
CIQBF AddeEEEE HIE

UESIII'IEIIGII P Address matches.

 

 

 

- :l _7
MW 

 

 

(TSllRELlTYG T'pS'

9 Populate “Display
Fields"

9 For both directions
between 2 Ips, use
AND

9 For either direction
connecting to a
single IP, put IP in
both “Source” and
“Destination” boxes,
and use OR
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Query Results - Muzma Flrefax
I
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4: v w a

IKXKETSCORE @TOYGNPPE wNKB:Hume 1NKBD15CuRuute ZIRuauneunetMyPage mGuldPomt

3K XK Results I11 0 Query Hesmts I] v
TSHSWREL To USA. EVEY 201104702 09.23 39.0 1 I WEVSHEIEU key
IR

TSHSIHRELTO USA. FVEV 2011704702 €913.14!) KLDABODOOLMIIOO UKJ7260D 1KEVJ.

 

 

 

 

1H

pxershared key
TSHSIHREL TO USA FVE‘!r 2011-04-021 D yam-shared key
TSHSWREL TO USA_ FVEV 2011-04-0211 31 53 0 p19-S113l6d key
TSHSIHREL TO USA. EVEY 2011-04-031222 03.0 KLDAB00001M1100 UKJ-ZEDD pwe-snaled key
TSHSIHREL TO USA. FVEV 2011704703 [11103000 preshared key

TSHSIHHEL TO USA FVEVr 2011704703 01'54'35 D pwershared key

 

 

TSh'SIh'REL TD USA FVE‘V‘ 2011-04-03 [3'24'560 KLDABDDDDlMllﬂn UKJJGDD \KEV1 yam-shared key
‘

_,_ _ _ .
TSHSWREL TO USA_ FVEV 2011-04-03 CA 59 DB 0 KLDABDDDD ID L K. -2 EOE 1|.Ev1 pxe-shaled key 6 ( U ) E X p O rt

TSIISIIIRELTO USA. EVEY 2011-04-0111.3?¢190 KLDAB00001M1100 UKJ-ZEDD ESP

TSHSIHREL TO USA. FVEV 20117047011713?‘33.0 KLV125999750000 USVQEEE ESP  S u I t O

TSHSWREL TO USA FVEY 20117047011251 DE 0 KLDABDDDDlMllDD UKJVZGDD

TSHSWREL TO USA FVE‘F 2011-04-01CD'DB 15 0 |RS103T DS-300  e I O r

TSHSWREL TO USA. EVEY 2011-04-01. 00.23250 |RS1037 DS-300
TSHSIHREL TO USA FVEY 2011-04-03 [5'41'27 D KLDABDDDDlMllDD UKJ-ZEDD yam-shared key  d O C  r
TSHSWREL TD USA. FVEV 2011-04-03 CE'25‘53 0 KLDABDDDDlMllDD UKJ-2EDD pre-shared key
TSHSIHREL TO USA. EVEY 2011-04-03 [27.56 09.0 KLDAB00001M1100 UKJ-ZEDD me-Shaled key e a S i e r
TSHSIHREL TO USA. FVEY 2011704703 [29.42.05 0 KLDAB00001M1100 UKJVZEDD pwershaled key
TSHSWREL TO USA. FVEY 2011704703 {1932.550 KLDABOOOOLMIIOO UKJVZGOD pwershared key S 0 i n g

TSHSIHREL TD USA FVEY 2011-04-0310'16 16 0 KLDABDDDDlMllDD UKJ-ZGDD yam-shared key I

TSHSWREL TO USA_ FVEV 2011-04-0310 59 39 0 KLDA300001M1100 UKJ-EEDD pwe-shaled key

 

TSh'SIh'REL TO USA. EVEY 2011-04-0311.50 29.0 |R1S035 DS-200B pwe-shaled key

 

TSHSIHREL TO USA. FVE‘F 20117047031234.4110 |RlS035 D57200B pwersnaled key
TSHSIHHEL TO USA FVEY 201170470312'34'45 0 IﬁlSDSE DSVZDDB
TSh'SIh'REL TO USA FVE‘!r 2011-04-0312'34'440 KLDABDDDDlMllDD UKJ-ZEDD yam-shared key
TSHSWREL TO USA_ FVEV 2011-04-0301 23 51 0 KLDA300001M1100 UKJ-EEDD p19-S113l6d key
TSh'SIh'REL TO USA. EVEY 2011-04-031323 50.0 |R1S035 DS-200B pwe-snaled key
TSHSIHREL TO USA. FVEV 2011704703 13123510 |RlS03S DSy200B
TSHSIHHEL TO USA FVEVr 2011704702 06'52 02 0 KLDABDDDDlMllDD UKJVZEDD

TSh'SIh'REL TD USA FVEY 2011-04-02 C507 51 D KLDABDDDDlMllDD UKJ-ZGDD

TSHSWRELTO USA. FVEY 2011-04-02 C6.16.31.0 KLDABOOOOlMllOO UKJ-ZGOD

TSh'SIh'REL TO USA. EVEY 2011-04-02 [7.45.23 0 KLDAB00001M1100 UKJ-ZEDD
TSHSWREL TO USA. EVEV 201170470205134151 0 KLDAB00001M1100 UKJVZEDD
TSh'SIh'REL To USA FVEY 2011704702 CD'1B 42 D KLDABDDDDlMllDD UKJVZEDD
TSHSWREL TO USA FVE‘F 2011-04-02 C001 51 D KLDABDDDDlMllDD UKJ-2EDD ESP

TSHSWREL TO USA. FVE‘r‘ 2011-04-02 COLB4LO IRSLOB? DS-BOO 1KEV1

 

 

TSHSIHREL TO USA. EVEY 2011-04-0ZED.16 51.0 |RS103? DS-300 ESP

I4|
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(TS//S|//REL) XKEYSCORE

 

 

 

 

 

 

(TS/IREL) Fingerprints (TS/IREL) Search Forms
- IPSec - Start with FULL DNI
a vpn/esp a vpn/*
a vpn/isakmp a network_encrytion/*
- PPTP 'IPSec
a vpn/pptp* a IKE Parser
- SSL - SSL

a network_encyption/ssl a SSL Parser
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(TS//S|//REL) PINWALE

- (TS/ISIIREL) Both VPN traffic and Sys Admins
passing information about VPN setup

° (TS/ISIIREL) IP addresses and port numbers (ex.
AP 00500) ***Document Zone = C2C

- (TS/ISIIREL) Display ‘DZ Protocol SRC Port’,‘DZ
Protocol DEST Port', ‘Next Protocol Name’

 

(TS//S|//REL) DISCOROUTE

- (TS/ISI/REL) Router configuration data
D From passive and active collection

D Key terms to search for within configs:

a ‘crypto map’, ‘isakmp’, ‘ipsec’, ‘pre-shared-key’
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* Authorlzed Personnel Only *

* If you do not have exphclt authorlzation lssued by UNAMI NMU to access *
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E dawns, leave nuw‘ *

w 1k

* System: *

* IP Add: *

e :1

* DESCRIPTION : THIS ROUTER IS THEVDICE GATEWAY INTENDED FOR USE WITH THE *

* H

ER *

e :1

e :1

* FEATURES * 7
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(U) Others

’("SHRE_)NKB
' ("S/lRE _) TUNINGFORK
’("SHRE_)TREASUREMAP
'("SURE_)RENCNR
’("SHRE_)MASTERSHAKE
( _)ROADBED
( _)

BEENK%K%+R¥

° "SHRE
' "SURE
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(TS//S|//REL) Basic VPN rules of

 

"mm If you have an IP address...

 

th—[H men.) If you don’t 

 

 

 

 

- Check TOYGRIPPE and XKS
a Look for paired traffic

- For IPSec, check sys admin
chatter for PSK
(DISCOROUTE; PINWALE;
MARINA)

- Share your data with
O'ITERCREEK for vulnerability
assessment (XKEYSCORE or
DROPBOX)

- Submit tasking

' Look in DISCOROUTE

- Query Sys Admins in
PINWALE and MARINA

- Check your targets TAO
projects

 

 

EITHER WAY,
JOIN THE
VPN WORKING GROUP
FOR ALL OF YOUR
VPN SIGDEV NEEDS

 

 

 

 

 

(U//FOUO) Useful Links

- (TS/ISIIIREL) VPN Working Group (go Vpn)—
- (TS/ISIIIREL) O'I'I'ERCREEK (go VPN XFT)

a VPNXFT DROPBOX

- (TS/lSI/IREL) Network Securiti Products (i0 NSP)

 

 

 

(U) Questions?

OTI'ERCREEK

 

